Why Do People Hate Passwords?

The password: love it or loathe it, this concept and practice have been a cornerstone of basic security for a long time. After covering cybercrime for the last few years, I have come to the conclusion that people hate passwords.

Let’s examine that – why do people hate passwords?

“I think people hate passwords because it’s something else to remember – and something else to forget,” said Aaron Bay, Chief Analyst for SurfWatch Labs. “The need to protect ourselves, and our information, has snowballed into this large, terrible thing we have in place now. Hardware and software have been developed to combat it, but there is still the problem of now someone else is in control of your access.”

Bay points to the compromise of the RSA’s SecureID and the recent vulnerability found in the password management program KeePass to further explain the complications of passwords.

“In 2011, the RSA SecureID was compromised, and the thousands of organizations – including the U.S. Government – that relied on their tokens were now at risk. The password manager KeePass recently had a flaw discovered that allowed attackers to steal passwords directly from the database. These are two examples where these beneficial systems have failed. It is safe to say that these systems, and others, will fail again at some point in the future.”

Without using programs to help with the process of utilizing strong passwords, the practice can be daunting. Listeners of the SurfWatch Cyber Risk Roundup who are familiar with our “Funny Story of the Week” have heard us talk about bad password practices. While some of the most common passwords are viewed in a humorous nature – “123456” tops the charts every year – there is a real security concern with this trend.

The Password Reuse Problem

The main problem is one of volume. Websites, work accounts, devices, iPhone or Android apps, and even credit cards all require passwords or pins. As a result of people reusing passwords, a number of companies have made headlines for cyber incidents, despite the fact they weren’t actually breached.

  • Amazon: “We discovered a list of email addresses and passwords posted online. While the list was not Amazon-related, we know that many customers reuse their passwords on multiple websites. … We recommend that you choose a password that you have never used with any website.”
  • United Airlines: “We recently learned that an unauthorized party attempted to access your MileagePlus account with usernames and passwords obtained from a third-party source. These usernames and passwords were not obtained as a result of a United data breach and United was not the only company where attempts were made.”
  • Uber: “We investigated and found no evidence of a breach. … This is a good opportunity to remind people to use strong and unique usernames and passwords and to avoid reusing the same credentials across multiple sites and services.”
  • Dropbox: “Recent news articles claiming that Dropbox was hacked aren’t true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox.”

“Password reuse is very common and more often than not leads to additional compromises when peoples’ passwords are exposed in the latest data breach,” Bay said, adding that each website having slightly different requirements also makes it harder for users to create unique passwords they can remember. “We not only have to remember the different passwords, when we have to change our passwords we have to remember the rules and make sure the new password doesn’t break them.”

I think everyone understands that remembering passwords can be a hassle. Some people attempt to circumvent this step and simply write the password down next to their work terminals, but that completely negates the point of a password as it is now in view for everyone to see. If you don’t think your co-workers are capable of utilizing your password for malicious purposes – as well as a practical joke – don’t be fooled. Several experts and reports have indicated that insider activity is one of the leading threats organizations face in combating cybercrime. According to SailPoint’s 7th Annual Market Pulse Survey, “1 in 5” employees share their passwords and login information with members of their team.

“Compounding the problem, 56% of respondents admitted to some level of daily password reuse for the corporate applications they access, with as many as 14% of employees using the same password across all applications,” the survey found.

Moving Beyond Passwords?

What are the alternatives to passwords? Last year, Yahoo decided to create an option for users that would allow them to log into their accounts without using a password. Instead of a password, a link would be sent via text message to a user’s phone that would validate their access.

There is also the popular topic of biometrics. In a recent example, the U.K. bank Atom launched a biometric authentication tool that utilizes a customer’s face and voice instead of a password for validation. The option to use a password still exists and the new biometric method remains as an option for customers.

Biometrics seem to be a trend around the validation process, but passwords remain the  authentication option at this time.

“Biometrics is now being regarded as ‘the next big thing’ to use to protect us,” Bay said. “When Apple introduced the fingerprint reader into the iPhone, biometrics were thrust into the public view. Millions of people, basically overnight, now had a fingerprint reader.”

Bay said the fingerprint readers do work and, for the most part, are secure.

“Is it perfect, not hardly. Is it the best we have, unsure. Is it better than many other implementations, yes, without a doubt. However, it still relies on hardware and software to be perfect. Unfortunately, history has shown that is not possible.”

Whether you like passwords or not, until a better, proven solution replaces this validation method it is imperative that your passwords are secure. This message needs to be communicated and driven home to employees – even if they hate passwords.

Ransomware Making Headlines In Early 2016

In early 2015, the FBI issued a warning about the rise of ransomware attacks, noting that “there’s been a definite uptick lately in its use by cybercriminals.” A year after that warning we’re seeing a new surge in attacks, and concern over ransomware has risen sharply in the first quarter of 2016.

2016-03-30_ransomware4
The number of ransomware-related CyberFacts collected by SurfWatch Labs has spiked dramatically to start the year.

Last year, the FBI explained that ransomware was continuing to evolve, writing that in the past “computers predominately became infected with [ransomware] when users opened e-mail attachments that contained malware.” That tactic had shifted and computers were now being easily infected using a “drive-by” method “where users can infect their computers simply by clicking on a compromised website, often lured there by a deceptive e-mail or pop-up window.”

The way cybercriminals demand ransom payments has also evolved. Initially, cybercriminals asked for ransom payments on pre-paid cards. Now Bitcoin has been implemented, a better option for criminals “because of the anonymity the system offers.”

SurfWatch Labs’ data identified 49 companies associated with ransomware attacks so far in 2016, although the total number of companies affected by this threat is likely much higher as many companies do not disclose these attacks — particularly if they choose to pay the ransom.

The healthcare sector in particular has been a focus of ransomware discussion this year.

2016-03-30_ransomware3
The healthcare sector as well as technology platforms such as Apple and WordPress have been a focus of ransomware discussion in 2016.

The reason ransomware has continued to gain popularity is simple — it is a cheap tool that has a high profit margin. Not long ago, malware developers were selling Cryptolocker ransomware kits with source code included for just $3,000. It wouldn’t take long for a criminal to recoup that initial investment as the average ransom demand is anywhere from $300 to $500. Recently, Hollywood Presbyterian Hospital reportedly paid $17,000 after suffering a ransomware attack.

Trending Ransomwares in 2016

There are three variants of ransomware that have stood out in the beginning of 2016: KeRanger, TeslaCrypt and Locky.

2016-03-30_ransomware
Although there are many different types of ransomware, KeRanger, TeslaCrypt and Locky have been the most discussed so far in 2016.

KeRanger malware has received a lot of discussion due to its connection with Apple. Locky ransomware has been observed in several attacks in 2016, and TeslaCrypt, which has been around for more than a year, continues to evolve.

2016-03-30_ransomware2
TeslaCrypt and Locky ransomware have steadily appeared in SurfWatch Labs’ data over the last two months. KeRanger ransomware made a big splash in the beginning of March.

KeRanger Ransomware

The newest addition on the list, KeRanger Ransomware, first made headlines in the beginning of March due to its accomplishments. It is the first ever fully functional Mac OS X ransomware in existence.

KeRanger was able to successfully infect a BitTorrent client used on OS X known as Transmission. More specifically, it infected Transmission version 2.90. Transmission has since warned users that version 2.90 was malicious and prompted users to download version 2.91.

TeslaCrypt Ransomware

TeslaCrypt Ransomware initially made headlines back in early 2015 for infecting computer gamers. Over the last year, TeslaCrypt has continued to evolve, with the latest version TeslaCrypt 4.0 released earlier this month. The ransomware is now capable of attacking organizations and home users.  

The latest edition of TeslaCrypt features RSA 4096 for encrypting data. This feature makes decrypting data impossible. Tools developed to combat previous TeslaCrypt versions, such as “TelsaDecoder,” will not work with TeslaCrypt 4.0.

TeslaCrypt ransomware has evolved quickly. In just over a year, malware creators have been able to release four versions of the ransomware, each more sophisticated than the last version. If any weaknesses are found in TeslaCrypt 4.0, look for malware creators to move quickly in creating a new version addressing those weaknesses.

Locky Ransomware

Locky ransomware was discovered in February 2016. The ransomware works like most strains: it infects a user’s computer, encrypts the content on the computer, and then a ransom is extracted in order to decrypt the information. It is in the encryption step that the ransomware gets its name, as it renames all the user’s files with the extension .locky.

This ransomware is being distributed through malicious macros in Microsoft Word attachments. In typical cases, victims receive a spoofed email with a Microsoft Word attachment seeking some sort of payment for a service or product. When the attachment is clicked, a document appears with scrambled text. The user is then instructed to click an Office macro to unscramble the text, which leads to infection.

This ransomware variant made huge headlines for causing Methodist Hospital of Henderson, Kentucky, to declare an “internal state of emergency.” Fortunately, Methodist Hospital was able to regain their data without paying the cybercriminal’s ransom demand of four bitcoins ($1,600).

Being Prepared is Key

Although ransomware has been making headlines for the last few years, data from 2016 suggests more criminals are going to focus on this tactic and more organizations are going to be victimized. Businesses need to be aware of this threat and take action now to mitigate the effects of a potential attack.

As recent attacks have shown, the overall cost of a ransomware attack can be much greater than just the ransom demand.